I want to implement an efficient mechanism to throttle login attemps in my Java web application, to prevent brute-force attacks on user accounts.

Jeff explained the why, but not the how.

Simon Willison showed an implementation in Python for Django: That doesn't really help me along as I can't use memcached nor Django.

Porting his ideas from scratch doesn't seem like a great either - I don't want to reinvent the wheel.

I found one Java implementation, though it seems rather naiive: Instead of a LRU cache, it just clears all entries after 15 minutes.

EHCache could be an alternative for memcached, but I don't have any experience with it and don't really want to intoduce yet another technology if there are better alternatives for this task.

So, whats a good way to implement login throttling in Java?